Is checking Google reCaptcha v3 score on client side safe and effective?
Question
I am using Stripe to accept payments and much of the payment process is done in client side JavaScript. I would like to check the reCaptcha score value during this payment process, to reduce fraud/credit card testing, etc. During this JavaScript script processing, I could prevent certain credit card/payment processes from occurring by checking the score value first.
Is it safe and effective to interpret the score of a Google reCaptcha v3 verification on the client side (browser)? Or is server side verification and score interpretation most effective?
The Google reCaptcha documentation doesn't indicate where the score value should be interpreted. I've always learned to "not trust the client", however this score checking would occur on the client.
1 answers
solution1
0 2021-06-16 14:46:58
I can't think of a client side validation that could ever be safe..
One of the best element of V3 is that unlike V2, V3 doesn't return back a straight answer as to whether the reCaptcha was passed or not. Instead, V3 will return a score ranging from 0-1 and the developer will receive that score and decide what to do with it. Usually a developer will have a threshold and display 2FA if a score is below a threshold.
The issue is that if you implement your validation code client side and you set a score threshold client side, a user can modify the threshold on your client rendered code thus completely rendering V3 ineffective.
The other part of the security concern is that when checking a score from your back-end, to authenticate you need to send a "secret key".
According to google documentation :
The secret key authorizes communication between your application backend and the reCAPTCHA server to verify the user's response. The secret key needs to be kept safe for security purposes.
I don't understand why the secret key would pose a security threat but google has indicated that it will.. If you move your back-end validation to the client, that secret key will be visible when inspecting your website code.
Also, it's worth mentioning that google pretty explicitly listed "verify the User's response" under "server side Validation". So although not explicitly stated in the text, I think it's pretty clearly implied that Google expects validation to happen on the back-end.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.